svn commit: r349890 - head/contrib/telnet/telnet
Cy Schubert
Cy.Schubert at cschubert.com
Thu Jul 11 02:06:51 UTC 2019
In message <20190711014729.GB23621 at FreeBSD.org>, Alexey Dokuchaev
writes:
> On Wed, Jul 10, 2019 at 05:42:04PM +0000, Philip Paeps wrote:
> > New Revision: 349890
> > URL: https://svnweb.freebsd.org/changeset/base/349890
> >
> > Log:
> > telnet: fix a couple of snprintf() buffer overflows
> >
> > Modified: head/contrib/telnet/telnet/commands.c
> > @@ -1655,10 +1655,11 @@ env_init(void)
> > char hbuf[256+1];
> > char *cp2 = strchr((char *)ep->value, ':');
> >
> > - gethostname(hbuf, 256);
> > - hbuf[256] = '\0';
> > - cp = (char *)malloc(strlen(hbuf) + strlen(cp2) + 1);
> > - sprintf((char *)cp, "%s%s", hbuf, cp2);
>
> Would it make sense to add something like __attribute__ ((deprecated))
> to those unsafe functions like gets(), sprintf(), etc.? Or it would
> cause too much PITA?
sprintf() is not deprecated (https://en.cppreference.com/w/c/io/fprintf)
. gets() is removed in C11 (https://en.cppreference.com/w/c/io/gets),
replaced by gets_s().
We already have gets_s(). We need printf_s(), sprintf_s() and
snprintf_s().
--
Cheers,
Cy Schubert <Cy.Schubert at cschubert.com>
FreeBSD UNIX: <cy at FreeBSD.org> Web: http://www.FreeBSD.org
The need of the many outweighs the greed of the few.
More information about the svn-src-head
mailing list